Professional Documents
Culture Documents
Manage Safety and Environmental Protection
Manage Safety and Environmental Protection
1
Note: Data represent total number of cases per 100 full-time employees
Source: U.S. Bureau of Labor Statistics, Occupational injuries and Illnesses in the United States
by Industry, annual
As with all the other costs of construction, it is a mistake for owners to ignore a significant
category of costs such as injury and illnesses. While contractors may pay insurance premiums
directly, these costs are reflected in bid prices or contract amounts. Delays caused by injuries and
illnesses can present significant opportunity costs to owners. In the long run, the owners of
constructed facilities must pay all the costs of construction. For the case of injuries and illnesses,
this general principle might be slightly qualified since significant costs are borne by workers
themselves or society at large.
However, court judgments and insurance payments compensate for individual losses and are
ultimately borne by the owners.
The causes of injuries in construction are numerous. Table 13-2 lists the reported causes of
accidents in the US construction industry in 1997. A similar catalogue of causes would exist for
other countries. The largest single category for both injuries and fatalities are individual falls.
Handling goods and transportation are also a significant cause of injuries. From a management
perspective, however, these reported causes do not really provide a useful prescription for safety
policies. An individual fall may be caused by a series of coincidences: a railing might not be
secure, a worker might be inattentive, the footing may be slippery, etc. Removing any one of
these compound causes might serve to prevent any particular accident. However, it is clear that
conditions such as unsecured railings will normally increase the risk of accidents. Table 13-3
provides a more detailed list of causes of fatalities for construction sites alone, but again each
fatality may have multiple causes.
2
TABLE 13-2 Fatal Occupational Injuries in
All accidents 1,107 1,190
Rate per 100,000 workers 14 14
Cause Percentage
Transportation incidents 26% 27%
Assaults/violentacts 3 2
Contact with objects 18 21
Falls 34 32
Exposure 17 15
Various measures are available to improve jobsite safety in construction. Several of the most
important occur before construction is undertaken. These include design, choice of technology
and education. By altering facility designs, particular structures can be safer or more hazardous
3
to construct.
Choice of technology can also be critical in determining the safety of a jobsite. Safeguards built
into machinery can notify operators of problems or prevent injuries. For example, simple
switches can prevent equipment from being operating when protective shields are not in place.
With the availability of on-board electronics (including computer chips) and sensors, the
possibilities for sophisticated machine controllers and monitors has greatly expanded for
construction equipment and tools. Materials and work process choices also influence the safety
of construction.
Educating workers and managers in proper procedures and hazards can have a direct impact on
jobsite safety. The realization of the large costs involved in construction injuries and illnesses
provides a considerable motivation for awareness and education. Regular safety inspections and
safety meetings have become standard practices on most job sites.
Pre-qualification of contractors and sub-contractors with regard to safety is another important
avenue for safety improvement. If contractors are only invited to bid or enter negotiations if they
have an acceptable record of safety (as well as quality performance), then a direct incentive is
provided to insure adequate safety on the part of contractors.
During the construction process itself, the most important safety related measures are to insure
vigilance and cooperation on the part of managers, inspectors and workers. Vigilance involves
considering the risks of different working practices. In also involves maintaining temporary
physical safeguards such as barricades, braces, guy lines, railings, toe boards and the like. Sets of
standard practices are also important, such as:
While eliminating accidents and work related illnesses is a worthwhile goal, it will never be
attained. Construction has a number of characteristics making it inherently hazardous. Large
4
forces are involved in many operations. The jobsite is continually changing as construction
proceeds. Workers do not have fixed worksites and must move around a structure under
construction. The tenure of a worker on a site is short, so the worker's familiarity and the
employer-employee relationship are less settled than in manufacturing settings. Despite these
peculiarities and as a result of exactly these special problems, improving worksite safety is a very
important project management concern.
The uncertainty in undertaking a construction project comes from many sources and often
involves many participants in the project. Since each participant tries to minimize its own risk,
the conflicts among various participants can be detrimental to the project. Only the owner has the
power to moderate such conflicts as it alone holds the key to risk assignment through proper
contractual relations with other participants. Failure to recognize this responsibility by the owner
often leads to undesirable results. In recent years, the concept of "risk sharing/risk assignment"
contracts has gained acceptance by the federal government. Since this type of contract
acknowledges the responsibilities of the owners, the contract prices are expected to be lower than
those in which all risks are assigned to contractors.
In approaching the problem of uncertainty, it is important to recognize that incentives must be
provided if any of the participants is expected to take a greater risk. The willingness of a
participant to accept risks often reflects the professional competence of that participant as well as
its propensity to risk. However, society's perception of the potential liabilities of the participant
can affect the attitude of risk-taking for all participants. When a claim is made against one of the
participants, it is difficult for the public to know whether a fraud has been committed, or simply
that an accident has occurred.
Risks in construction projects may be classified in a number of ways. One form of classification
is as follows:
1. Socioeconomic factors
Environmental protection
Public safety regulation
Economic instability
5
Exchange rate fluctuation
2. Organizational relationships
Contractual relations
Attitudes of participants
Communication
3. Technological problems
Design assumptions
Site conditions
Construction procedures
Construction occupational safety
The environmental protection movement has contributed to the uncertainty for construction
because of the inability to know what will be required and how long it will take to obtain
approval from the regulatory agencies. The requirements of continued re-evaluation of problems
and the lack of definitive criteria which are practical have also resulted in added costs. Public
safety regulations have similar effects, which have been most noticeable in the energy field
involving nuclear power plants and coal mining. The situation has created constantly shifting
guidelines for engineers, constructors and owners as projects move through the stages of
planning to construction. These moving targets add a significant new dimension of uncertainty
which can make it virtually impossible to schedule and complete work at budgeted cost.
Economic conditions of the past decade have further reinforced the climate of uncertainty with
high inflation and interest rates. The deregulation of financial institutions has also generated
unanticipated problems related to the financing of construction.
Uncertainty stemming from regulatory agencies, environmental issues and financial aspects of
construction should be at least mitigated or ideally eliminated. Owners are keenly interested in
achieving some form of breakthrough that will lower the costs of projects and mitigate or
eliminate lengthy delays. Such breakthroughs are seldom planned. Generally, they happen when
the right conditions exist, such as when innovation is permitted or when a basis for incentive or
reward exists.
However, there is a long way to go before a true partnership of all parties involved can be forged.
6
During periods of economic expansion, major capital expenditures are made by industries and
bid up the cost of construction. In order to control costs, some owners attempt to use fixed price
contracts so that the risks of unforeseen contingencies related to an overheated economy are
passed on to contractors. However, contractors will raise their prices to compensate for the
additional risks.
The risks related to organizational relationships may appear to be unnecessary but are quite real.
Strained relationships may develop between various organizations involved in the
design/construct process. When problems occur, discussions often center on responsibilities
rather than project needs at a time when the focus should be on solving the problems.
Cooperation and communication between the parties are discouraged for fear of the effects of
impending litigation. This barrier to communication results from the ill-conceived notion that
uncertainties resulting from technological problems can be eliminated by appropriate contract
terms. The net result has been an increase in the costs of constructed facilities.
The risks related to technological problems are familiar to the design/construct professions which
have some degree of control over this category. However, because of rapid advances in new
technologies which present new problems to designers and constructors, technological risk has
become greater in many instances. Certain design assumptions which have served the
professions well in the past may become obsolete in dealing with new types of facilities which
may have greater complexity or scale or both. Site conditions, particularly subsurface conditions
which always present some degree of uncertainty, can create an even greater degree of
uncertainty for facilities with heretofore unknown characteristics during operation. Because
construction procedures may not have been fully anticipated, the design may have to be modified
after construction has begun. An example of facilities which have encountered such uncertainty
is the nuclear power plant, and many owners, designers and contractors have suffered for
undertaking such projects.
If each of the problems cited above can cause uncertainty, the combination of such problems is
often regarded by all parties as being out of control and inherently risky. Thus, the issue of
liability has taken on major proportions and has influenced the practices of engineers and
7
constructors, who in turn have influenced the actions of the owners.
Many owners have begun to understand the problems of risks and are seeking to address some of
these problems. For example, some owners are turning to those organizations that offer complete
capabilities in planning, design, and construction, and tend to avoid breaking the project into
major components to be undertaken individually by specialty participants. Proper coordination
throughout the project duration and good organizational communication can avoid delays and
costs resulting from fragmentation of services, even though the components from various
services are eventually integrated.
Attitudes of cooperation can be readily applied to the private sector, but only in special
circumstances can they be applied to the public sector. The ability to deal with complex issues is
often precluded in the competitive bidding which is usually required in the public sector. The
situation becomes more difficult with the proliferation of regulatory requirements and resulting
delays in design and construction while awaiting approvals from government officials who do
not participate in the risks of the project.
8
Investment appraisal methods
9
110 110
(interest rate is 10% per annum) 2
(1+10 %) (1+10 %)
= $100 $100
The two projects are of equal value to the company because their present values are the
same
10
economic evaluation involve a degree of uncertainty. Probabilistic methods are often
used in decision analysis to determine expected costs and benefits as well as to assess the
degree of risk in particular projects.
In estimating benefits and costs, it is common to attempt to obtain the expected or
average values of these quantities depending upon the different events which might
occur. Statistical techniques such as regression models can be used directly in this regard
to provide forecasts of average values.
Alternatively, the benefits and costs associated with different events can be estimated and
the expected benefits and costs calculated as the sum over all possible events of the
resulting benefits and costs multiplied by the probability of occurrence of a particular
event:
m
E [Bt ]=∑ ( Bt /q ) Pr {q }
q=1
m
E [Ct ]=∑ ( Ct /q ) Pr {q }
q=1
where q = 1,....,m represents possible events, (Bt|q) and (Ct|q) are benefits and costs
respectively in period t due to the occurrence of q, Pr{q} is the probability that q occurs,
and E[Bt] and E[Ct] are respectively expected benefit and cost in period t. Hence, the
expected net benefit in period t is given by:
E [ At ] =E [ Bt ] −E[Ct ]
For example, the average cost of a facility in an earthquake prone site might be calculated
as the sum of the cost of operation under normal conditions (multiplied by the probability
of no earthquake) plus the cost of operation after an earthquake (multiplied by the
probability of an earthquake).
Expected benefits and costs can be used directly in the cash flow calculations described
earlier.
11
In formulating objectives, some organizations wish to avoid risk so as to avoid the
possibility of losses. In effect, a risk avoiding organization might select a project with
lower expected profit or net social benefit as long as it had a lower risk of losses. This
preference results in a risk premium or higher desired profit for risky projects. A rough
method of representing a risk premium is to make the desired MARR higher for risky
projects.
Discounting
According to the time value of money concept, a dollar in one year is not worth the same
as a dollar in another year.
In evaluating a multi-year investment, cash inflows and outflows are generated in
different years
It is necessary to convert the cash flows for different years into a common value at a
common point of time, either at present or in the future.
Discounting is the process of reducing future cash flows to present values with the use of
an interest rate
FVn
Present value = ¿¿
Where FV = Future value of an investment
n= Number of years
r= Appropriate interest rate
Example
John has won a lucky draw. He is deciding whether to receive the
Prize money of $3000 today or the following set of cash flows over the next three years:
Year Cash flow
1 $1100
2 $1210
3 $1331
12
Future values Discount processes Present value
Year 1 $1100 $1100/1.1 $1000
Year 2 $1210 $1210/1.12 $1000
Year 3 $1331 $1331/1.13 $1000
FV 1
NPV =
¿¿
13
>0 Accept the project The rate of return from the project is greater than
the rate of return from an equivalent risk
investment
Highest Accept the project If various project are considered, the project with
highest positive NPV should be chosen
Example
A company is considering making several investments in the Production facilities for the new
products with an estimated useful Life of four years. The cash inflows and outflows are listed as
follows:
Project
A B C D
$ $ $ $
Initial investment 900000 1000000 303730 1500000
Cash inflow
Year 1 120000 400000 100000 10000
Year 2 250000 400000 100000 10000
Year 3 400000 400000 100000 1000000
Year 4 1300000 400000 100000 1000000
14
120000
NPV =
¿¿
= $517327 (accepting)
Project B
40000
NPV =
¿¿
= $214920(accepting)
Project C
100000
NPV =
¿¿
= $0 (indifferent to accept or reject)
Project D
10000
NPV =
¿¿
= -$135801(rejecting)
(b) With limited resources, the company should only accept project A because it generates the
highest NPV
Advantages of NPV
Consistency with the time value of money concept
Consideration of all cash flows
Adoption of cash flows instead of accounting profit
15
The internal rate of return is the annual percentage return achieved by a project, of which
the sum of discounted cash inflow over the life of the project is equal to the sum of
discounted cash outflows
If the IRR is used to determine the NPV of a project, the NPV will be zero.
The company will accept this project only if the IRR is equal to or higher than the
minimum rate of return or the cost of capital
Calculation procedures
1. By trial and error, find out the discount rate that will give a zero NPV
FV 1
NPV =
¿¿
16
IRRs Comments Reasons
< lowest acceptable level of return Reject NPV<0
= lowest acceptable level of return Accept NPV=0
> Lowest accepted level of return Accept NPV>0
Highest Accept If several project are
considered, the highest IRR
should be chosen
Example
A project costs $400 and produces a regular cash inflow of $200 at the end of each of the next
three years. Calculate the IRR. If the minimum rate of return is 15 %, suggest with reason
whether you should accept the project or not.
$ 200
NPV =
¿¿
Assuming the discount rate is 22%
$ 200
NPV =
¿¿
Assuming the discount rate is 24%
$ 200
NPV =
¿¿
P
IRR=L+ ( H−L )
P−N
Where L = Discount rate of the low trial
H = Discount rate of the high trial
P = NPV of cash flows of the low trial
N = NPV of cash flows of the high trial
17
8.4
IRR=22 %+ (24−22 ) %
8.4−(−3.8 )
= 23.38%
Since the IRR (23.38%) is higher than the minimum rate of return (15%),
The project should be accepted
Payback period
Payback period is the period of time it takes for a company to recover its initial
investment in a project
The method measures the time required for a project’s cash flow to equalize the initial
investment
Acceptance criterion
< predetermined cutoff period Accept the project
> Predetermined cutoff period Reject the project
Example
A company is considering making the following mutually exclusive
Investments in the production facilities for the new products with an Estimated useful life of four
years. The cash inflow and outflows are
Listed as follows:
Project A$ Project B $
18
Year 3 100000 400000
Year 4 1300000 400000
Example
A company is considering making the following mutually exclusive investments in the
production facilities for the new products with an estimated useful life of four years. The cash
inflow and outflows are listed as follows:
Project A Project B
19
Initial investment 900000 1000000
Cash inflow at the end of year
Year 1 700000 600000
Year 2 100000 400000
Year 3 100000 400000
Year 4 1300000 400000
Project A Project B
$ $
Initial investment 900000 1000000
Discounted cash flow
700000 400000
Year 1 1 = 583333 1 =500000
1. 2 1.2
100000 400000
Year 2 2 = 69444 2 = 277778
1. 2 1.2
100000 400000
Year 3 3 = 57870 3 = 231481
1. 2 1.2
100000 400000
Year 4 4 = 626929 4 = 192901
1. 2 1. 2
100000−777778
Project B 2+ = 2.96 years
231481
20
Accounting rate of return
The accounting rate of return compares the average accounting profit with the average
investment cost of project
The accounting profit can be expressed either before tax or after tax
Calculation procedures
Average net profit per year (¿ thelife of the project )
ARR =
Average investment cost
Total profit
Average net profit per year=
No . of life of the project
Initial investment
Average investment cost =
2
Acceptance criterion
In evaluating an investment project, the ARR of the project is compared with a predetermined
minimum acceptable accounting
Rate of return:
ARRs Comments
< minimum acceptable rate Reject project
= minimum acceptable rate Accept project
> minimum acceptable rate Accept project
Highest Choose highest ARR
Example
A company is considering whether to buy specialized machines For a new production line. The
purchase price of machinery is
$400000 and its estimated useful life is four years. There is no scrap
Value after four years
21
The project income statements:
Should the company buy the new machinery if the minimum acceptable
Rate of return is 20%?
51000+68000+59500+76500
Average net income =
4
= $63750
400000+0
Average investment =
2
= $200000
$ 63750
ARR= = 31.875%
$ 200000
Advantages of ARR
It is easy to understand and compute
22
It avoids using gross figures. Therefore, it enables comparisons to be made between
projects with different useful lives
Disadvantages of ARR
It ignores the time value of money
ARR method seems to be less reliable than the NPV method. It adopts the accounting
profit instead of cash flows calculation. The change of depreciation method may also
alter the accounting profit
23
Risk Mapping Safety Inspections
The third inspection method is called risk mapping. It is a good method to use at a safety meeting
where everyone there is familiar with the workplace or process. This technique uses a
map/drawing of the workplace or a list of steps in a process. People in the group then tell the
leader the hazards they recognize and where they are located in the workplace or process. The
leader uses different colors or symbols to identify different types of hazards on the map or list of
steps. This type of inspection is valuable for involving all employees in identifying and resolving
safety hazards.
24
Improve health and safety practices and procedures
Measure Occupation Health and Safety (OHS) compliance
Check new facilities, equipment, processes
Collect information that identifies potential new safety initiatives
Maintain interest in health and safety through consultation
Display management commitment to health and safety
Empower staff to ensure a safe work environment.
Managers, in consultation with their staff and the OHS representatives, are responsible for
developing and implementing a system of workplace inspections, consistent with the work area’s
risk profile.
Workplace inspections involve the following steps:
Identifying the hazards
Assessing and rating the risks
Controlling the risks (using the Hierarchy of Control)
Implementing the risk controls
Monitoring and reviewing the risk controls
Documenting the results
Property has specific responsibility for inspecting building infrastructure, essential services,
grounds and walkways, plant and equipment and security.
25
Workgroup
Form an Inspection Team
Form an inspection team which includes the following:
A staff member(s) familiar with the work area
A management representative or their delegate
An OHS representative
A delegate from the Health and Safety Unit.
At least one of the inspection team must be trained in the University process for workplace
inspections.
Obtain Checklists
A range of Workplace Inspections Checklists is available to assist in the inspection process. The
checklists are based on the hazard register for each area and have been reviewed by staff in the
relevant area. They also assist in recording information and triggering questions during the
inspection.
INSPECT THE WORKPLACE
Consider the following factors when inspecting:
Workplace Design (i.e. the physical workplace, both internal and external environment)
Is the area suited to the work being carried out?
Does it provide adequate space for occupants?
Ensure the design meets relevant legislative requirements.
Does it comply with the OHS Act and Regulations?
Systems of Work
Are Policies and Procedures available?
Are Safe Operating Procedures written and accessible?
Is important information available to workers re hazards eg Hazard Register, Material
Safety Data Sheets?
Environment
Behavior
26
Identify risks
Assess and rate a risk
Report
Document the outcomes of your risk assessments on the Risk
Assessment Form Prepare a Workplace Safety Inspection Summary Report to the
Executive Dean/ Head of Office for action.
Provide a copy of the report to the Central OHS Committee.
Document the results
Document all assessments on the Risk Register Form and forward this, along with copies of any
completed Checklists and/or notes to the following people:
Executive Dean
Head of Department
Health & Safety Unit
OHS Representative
Central OHS Committee Executive Dean/Head of Office
The best way to manage risks in international trade is to anticipate, reduce or avoid them. Seek
legal advise and develop a risk management plan that is shared with your staff.
Process
According to the standard ISO 31000 "Risk management – Principles and guidelines on
implementation, the process of risk management consists of several steps as follows:
This involves:
27
1. identification of risk in a selected domain of interest
2. planning the remainder of the process
3. mapping out the following:
o the social scope of risk management
o the identity and objectives of stakeholders
o the basis upon which risks will be evaluated, constraints.
4. defining a framework for the activity and an agenda for identification
5. developing an analysis of risks involved in the process
6. mitigation or solution of risks using available technological, human and organizational
resources.
Identification
After establishing the context, the next step in the process of managing risk is to identify
potential risks. Risks are about events that, when triggered, cause problems. Hence, risk
identification can start with the source of problems, or with the problem itself.
Source analysis - Risk sources may be internal or external to the system that is the target
of risk management.
Examples of risk sources are: stakeholders of a project, employees of a company or the weather
over an airport.
Problem analysis- Risks are related to identified threats. For example: the threat of losing
money, the threat of abuse of confidential information or the threat of accidents and
casualties. The threats may exist with various entities, most important with shareholders,
customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events that
can lead to a problem can be investigated. For example: stakeholders withdrawing during a
project may endanger funding of the project; confidential information may be stolen by
employees even within a closed network; lightning striking an aircraft during takeoff may make
all people on board immediate casualties.
28
The chosen method of identifying risks may depend on culture, industry practice and
compliance. The identification methods are formed by templates or the development of templates
for identifying source, problem or event. Common risk identification methods are:
Risk Assessment
Once risks have been identified, they must then be assessed as to their potential severity of
impact (generally a negative impact, such as damage or loss) and to the probability of
occurrence. These quantities can be either simple to measure, in the case of the value of a lost
building, or impossible to know for sure in the case of the probability of an unlikely event
29
occurring. Therefore, in the assessment process it is critical to make the best educated decisions
in order to properly prioritize the implementation of the risk management plan.
Even a short-term positive improvement can have long-term negative impacts. Take the
"turnpike" example. A highway is widened to allow more traffic. More traffic capacity leads to
greater development in the areas surrounding the improved traffic capacity. Over time, traffic
thereby increases to fill available capacity. Turnpikes thereby need to be expanded in a
seemingly endless cycles. There are many other engineering examples where expanded capacity
(to do any function) is soon filled by increased demand. Since expansion comes at a cost, the
resulting growth could become unsustainable without forecasting and management.
The fundamental difficulty in risk assessment is determining the rate of occurrence since
statistical information is not available on all kinds of past incidents. Furthermore, evaluating the
severity of the consequences (impact) is often quite difficult for intangible assets. Asset valuation
is another question that needs to be addressed. Thus, best educated opinions and available
statistics are the primary sources of information.
Once risks have been identified and assessed, all techniques to manage the risk fall into one or
more of these four major categories:
Risk avoidance
This includes not performing an activity that could carry risk. An example would be not buying a
property or business in order to not take on the legal liability that comes with it. Another would
be not flying in order not to take the risk that the airplane were to be hijacked. Avoidance may
seem the answer to all risks, but avoiding risks also means losing out on the potential gain that
30
accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss
also avoids the possibility of earning profits.
Hazard prevention
Hazard prevention refers to the prevention of risks in an emergency. The first and most effective
stage of hazard prevention is the elimination of hazards. If this takes too long, is too costly, or is
otherwise impractical, the second stage is mitigation.
Risk reduction
Risk reduction or "optimization" involves reducing the severity of the loss or the likelihood of
the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the risk
of loss by fire. This method may cause a greater loss by water damage and therefore may not be
suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive
as a strategy.
Acknowledging that risks can be positive or negative, optimizing risks means finding a balance
between negative risk and the benefit of the operation or activity; and between risk reduction and
effort applied.
Modern software development methodologies reduce risk by developing and delivering software
incrementally. Early methodologies suffered from the fact that they only delivered software in
the final phase of development; any problems encountered in earlier phases meant costly rework
and often jeopardized the whole project. By developing in iterations, software projects can limit
effort wasted to a single iteration.
Risk sharing
Briefly defined as "sharing with another party the burden of loss or the benefit of gain, from a
risk, and the measures to reduce a risk."
The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief that you can
transfer a risk to a third party through insurance or outsourcing. In practice if the insurance
31
company or contractor go bankrupt or end up in court, the original risk is likely to still revert to
the first party. As such in the terminology of practitioners and scholars alike, the purchase of an
insurance contract is often described as a "transfer of risk." However, technically speaking, the
buyer of the contract generally retains legal responsibility for the losses "transferred", meaning
that insurance may be described more accurately as a post-event compensatory mechanism. For
example, a personal injuries insurance policy does not transfer the risk of a car accident to the
insurance company. The risk still lies with the policy holder namely the person who has been in
the accident. The insurance policy simply provides that if an accident (the event) occurs
involving the policy holder then some compensation may be payable to the policy holder that is
commensurate to the suffering/damage.
Some ways of managing risk fall into multiple categories. Risk retention pools are technically
retaining the risk for the group, but spreading it over the whole group involves transfer among
individual members of the group. This is different from traditional insurance, in that no premium
is exchanged between members of the group up front, but instead losses are assessed to all
members of the group.
Risk retention
Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self insurance
falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring
against the risk would be greater over time than the total losses sustained. All risks that are not
avoided or transferred are retained by default. This includes risks that are so large or catastrophic
that they either cannot be insured against or the premiums would be infeasible. War is an
example since most property and risks are not insured against war, so the loss attributed by war
is retained by the insured. Also any amounts of potential loss (risk) over the amount insured is
retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost
to insure for greater coverage amounts is so great it would hinder the goals of the organization
too much.
32
Create a risk management plan
Select appropriate controls or countermeasures to measure each risk. Risk mitigation needs to be
approved by the appropriate level of management. For instance, a risk concerning the image of
the organization should have top management decision behind it whereas IT management would
have the authority to decide on computer virus risks.
The risk management plan should propose applicable and effective security controls for
managing the risks. For example, an observed high risk of computer viruses could be mitigated
by acquiring and implementing antivirus software. A good risk management plan should contain
a schedule for control implementation and responsible persons for those actions.
According to ISO/IEC 27001, the stage immediately after completion of the risk assessment
phase consists of preparing a Risk Treatment Plan, which should document the decisions about
how each of the identified risks should be handled. Mitigation of risks often means selection of
security controls, which should be documented in a Statement of Applicability, which identifies
which particular control objectives and controls from the standard have been selected, and why.
Implementation
Implementation follows all of the planned methods for mitigating the effect of the risks.
Purchase insurance policies for the risks that have been decided to be transferred to an insurer,
avoid all risks that can be avoided without sacrificing the entity's goals, reduce others, and retain
the rest.
Initial risk management plans will never be perfect. Practice, experience, and actual loss results
will necessitate changes in the plan and contribute information to allow possible different
decisions to be made in dealing with the risks being faced.
Risk analysis results and management plans should be updated periodically. There are two
primary reasons for this:
33
1. To evaluate whether the previously selected security controls are still applicable and
effective
2. To evaluate the possible risk level changes in the business environment. For example,
information risks are a good example of rapidly changing business environment.
Planning how risk will be managed in the particular project. Plans should include risk
management tasks, responsibilities, activities and budget.
Assigning a risk officer – a team member other than a project manager who is responsible
for foreseeing potential project problems. Typical characteristic of risk officer is a
healthy skepticism.
Maintaining live project risk database. Each risk should have the following attributes:
opening date, title, short description, probability and importance. Optionally a risk may
have an assigned person responsible for its resolution and a date by which the risk must
be resolved.
Creating anonymous risk reporting channel. Each team member should have the
possibility to report risks that he/she foresees in the project.
Preparing mitigation plans for risks that are chosen to be mitigated. The purpose of the
mitigation plan is to describe how this particular risk will be handled – what, when, by
whom and how will it be done to avoid it or minimize consequences if it becomes a
liability.
Summarizing planned and faced risks, effectiveness of mitigation activities, and effort
spent for the risk management.
34
Risk management and business continuity
Risk management is simply a practice of systematically selecting cost effective approaches for
minimizing the effect of threat realization to the organization. All risks can never be fully
avoided or mitigated simply because of financial and practical limitations. Therefore all
organizations have to accept some level of residual risks.
Whereas risk management tends to be preemptive, business continuity planning (BCP) was
invented to deal with the consequences of realized residual risks. The necessity to have BCP in
place arises because even very unlikely events will occur if given enough time. Risk
management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these
processes are so tightly tied together that such separation seems artificial. For example, the risk
management process creates important inputs for the BCP (assets, impact assessments, cost
estimates etc.). Risk management also proposes applicable controls for the observed risks.
Therefore, risk management covers several areas that are vital for the BCP process. However, the
BCP process goes beyond risk management's preemptive approach and assumes that the disaster
will happen at some point.
Risk communication
Accept and involve the public/other consumers as legitimate partners (e.g. stakeholders).
Plan carefully and evaluate your efforts with a focus on your strengths, weaknesses,
opportunities, and threats (SWOT).
Listen to the stakeholders specific concerns.
35
Be honest, frank, and open.
Coordinate and collaborate with other credible sources.
Meet the needs of the media.
Speak clearly and with compassion.
36